mTLS + JWT authentication

Nilamadhaba_Rath · June 26, 2020, 11:25am

We are currently using JWT based end user authentication (Origin authentication). Now we are planning to use SSL certificate authentication via a whitelist of certificates allowed to connect end users (client). However, we want to have this in our Ingress Gateway.

Does istio ingress gateway has the support to handle both type of request.

if request has JWT token in header it should use the origin verification using the JWT issuer and provider config.
If request has the certificate then it validate the end user using the configured tls settings(serverCertificate, privateKey, caCertificates)

YangminZhu · July 10, 2020, 3:28am

if request has JWT token in header it should use the origin verification using the JWT issuer and provider config.

this can be done with AuthorizationPolicy on ingress gateway that allows the request if it has a valid JWT token.

If request has the certificate then it validate the end user using the configured tls settings(serverCertificate, privateKey, caCertificates)

This is not supported on ingress gateway for now. the authorization policy needs some update if you want to use it to enforce access control based on arbitrary fields in the x509 cert issued by non-istio CA.

Topic		Replies	Views
Terminating MTLS in ingressgateway - what about authorization? Security	5	2341	March 11, 2021
End User Auth for external use and MTLS for internal service-service communication? Security	17	2520	December 3, 2020
End User Certificate Authentication Security	6	2441	August 13, 2021
Both mTLS and non-mTLS traffic on same host Security security	0	508	April 5, 2021
Jwt origin auth on ingress for some hosts but not for others Security	5	1389	December 22, 2020

mTLS + JWT authentication

Related topics